Some new personal data types rather complex. No new interface in Opera and Internet Explorer. Some components out of date.

Bottom Line

LastPass offers advanced password management features that few free competitors offer, and it has an updated user interface. However, some of its features are a bit dated.

Keeping track of dozens or hundreds of strong, unique passwords just isn't possible without a password manager. Fortunately, you can get the necessary help without breaking the bank. The free edition of LastPass has plenty of features, more than some of its for-pay competitors, and it syncs across all your Windows, macOS, Android, and iOS devices. The product is still at version 4, but its designers have given the interface a facelift and slipped in some handy new features—enough to merit an updated review.

It's worth noting that many commercial password managers offer a free edition that has stringent limitations. Some, like RoboForm, put a limit on the number of passwords free users can save. Others, like Dashlane and Keeper are only free if you use them on a single device. LastPass, on the other hand, has no limits on syncing or on the number of passwords. You simply get additional features if you opt for LastPass Premium.

Getting Started With LastPass

When you click the link to get a free LastPass account, it installs as an extension in your default browser. When you launch this extension, it walks you through creating a LastPass account. After you enter your email, you create a strong master password. LastPass doesn't ask for much. The password must be eight characters, must not be your email address, and must not be "easily guessable." When I typed "Password," it checked off the first two requirements; making it "Password!" got all three. Don't let those green checks make you complacent; create a proper strong master password. After all, it protects all your other passwords! And consider enabling two-factor authentication, which I'll explain below.

With the account created, LastPass walks you through saving a password for Google, Facebook, Amazon, or Netflix. Pop-up notifications explain that you first log in as usual, then you click the Add button when LastPass offers to save it. In testing, my browser locked up at the second step, but I did get the pop-up explanations.

Keeper Password Manager & Digital Vault boasts an even more elaborate onboarding system. It starts by offering to import passwords from your browsers, then proceeds to walk you through creating a password record. After you install the browser extension, it offers a tour of the extension's features. It also encourages you to enable two-factor authentication.

During installation, LastPass used to offer to import passwords from your browsers and turn off password capture in the browsers. This feature is still available; it just doesn't happen as part of the installation.

LastPass also used to offer a one-time password each time you'd install it on a new device. In the event you forgot your master password, you could reset it using the one-time password, much like the way Keeper users your security answer for master password reset. Here again, you can dig in and create one-time passwords, but it's no longer part of the installation flow.

One thing worth noting: While LastPass installed in my default browser, Chrome, I found that I had to manually install it on Firefox, Opera, and Internet Explorer. Had I dug in to find the LastPass Universal Windows Installer instead of just clicking the Get LastPass Free button, it would have handled Chrome, Firefox, Internet Explorer, Opera, and Safari, if present. It also offered to import passwords stored insecurely in the browsers.

Password Capture and Replay

When you log in to a secure site LastPass offers to save your credentials. You can just click Add and continue, or click Edit for more options. Clicking Edit lets you assign the captured login to a new or existing folder, or tell LastPass you never want to save a password for the site. As with 1U Password Manager, you can't enter a friendly name directly in the pop-up window, but you can take care of that in the main interface.

Like most password managers, LastPass immediately fills in your credentials when you revisit a site. Enpass and KeePass are among the few that require you to manually trigger filling credentials. If you've stored more than one set, LastPass adds a small number to the icon it puts inside the username and password fields. Clicking this gets you a menu of all available logins. But why revisit the site? Click the toolbar button and search for the desired site, or find it in the list of all items. LastPass both navigates to the site and logs you in.

Most websites use a standard login format that password managers easily recognize. If you hit a weird site, one that LastPass doesn't catch automatically, never fear. As with Sticky Password Premium, RoboForm, and a few others, you can just enter your credentials and then tell LastPass to save everything. The technique has changed a bit. Where you used to just select Save All Entered Data from the Tools menu, you now select Add item and scroll to the bottom of the resulting menu to find Save All Entered Data.

Enter the Vault

You can do a lot from the updated browser toolbar menu, but access to some features requires that you open the online password vault. Initially, the vault displays a tile for each item you've saved. The tiles were so big that on my test system there was only room for a single column of them. That was in part because an advertisement for the new LastPass Family took up part of the page's width. To get even two columns of tiles, I had to collapse the left-rail menu. Finally, I discovered the compact view, which shrank the tiles to manageable size. You can also choose to view your items as a list rather than in tile format.

Selecting a password entry reveals three icons, for editing, sharing, and deleting. I'll discuss sharing below. When you edit an item, you can change its displayed name, add a note, or move it to another folder. However, it's easier to organize your passwords into folders using drag and drop. Advanced options let you require reentering the master password for the item, autofill it without waiting, and keep the entry but disable autofill entirely.

From the left-rail menu you can select Passwords, Notes, Addresses, Payment Cards, or Bank Accounts. Secure notes just store and sync sensitive information, optionally with an attachment. Addresses are similar to what previous editions called Form Fills. Payment cards and bank accounts are self-explanatory.

LastPass is moving away from making a big distinction between the various kinds of personal data items. Whichever type you've selected for display, clicking the Add icon lets you choose any kind of item from its big list of options.

Why is it a big list? Because LastPass now lets you store 13 other types of personal data. These include logical items such as driver's licenses, passports, and social security numbers. There are also some odd ones, like database and server logins, and software licenses. I had to resort to Google to remind myself what an SSH Key is. When you create an instance of an item type, that type appears on the left-rail menu, which scrolls if necessary.

Unfortunately, I found that in Internet Explorer and Opera, the LastPass Vault still uses the old format. You can access your passwords and secure notes, and you can edit items of the new types, but you can only create old-style secure notes. My company contact tells me that support for Opera and IE will come in the next few months. New signups get the new interface, but the update is rolling out gradually for existing users.

Password Generator

When you sign up for a new account or change your password for an existing account, LastPass offers to generate a secure password. By default, the password generator creates 12-character passwords, the same default as Keeper and Dashlane. LastPass defaults to using at least one digit and a mix of capital and small letters, omitting symbols. If for some reason you need to remember the password and can accept a security hit, the Easy to say option gives you passwords like FIEDYcAuGHTE or REAVACEtoRTE. The Easy to read option avoids ambiguous characters like capital O and digit 0.

Default settings for password generation vary wildly between programs. At the low end, if you generate a password using the default settings in Ascendo DataVault Password Manager, you get a weak password of just eight alphabetic characters, like DQEogIwx. At the other end, Myki's default settings give you huge 30-character passwords. In between, Password Boss Premium and KeePass create 20-character passwords by default. Since the program remembers it for you, it might as well be long. For LastPass users, I recommend cranking the length up to at least 16 characters and including symbols.

When you do sign up for a new account, LastPass captures your credentials, and it offers to update its saved password when you make a change. This works whether or not you accept the aid of the password generator.

Emergency Access

It's not the most cheerful thought, but what happens to your passwords if you keel over unexpectedly? How will your heirs access your bank account, or let your social media circle know what happened? The Emergency Access feature lets you define one or more contacts who can access your passwords in the event of your untimely demise.

Emergency Access in LastPass works much like as the similar feature in Dashlane and Keeper. You enter your recipient's email address and define a waiting period. Recipients must install LastPass, if they haven't already, and accept your connection request. Now if something happens to you, the recipient simply requests access to your account. Dashlane does let you pass along just a subset of your saved credentials—for example, you might define a coworker as recipient of your work-specific passwords. That's not an option in LastPass.

With the free LogMeOnce Password Management Suite Premium, you can define one heir for your entire collection and five for individual logons. Zoho Vault distinguishes work passwords from personal ones; the administrator can unilaterally take over work passwords for an ex-employee.

Here's where the waiting period comes in. Suppose your trusted recipient decides to jump the gun and get your passwords before you've kicked the bucket. The initial request for access triggers a notification, and you can deny the access request at any time during the waiting period. In a real emergency, your recipient automatically gets access after that time elapses.

Clicking Emergency Access lets you view two pages, People I Trust (your password heirs) and People Who Trust Me (those who've made you their emergency access contact). On the People I Trust page you can delete anyone from the list, or change the waiting period. On the People Who Trust Me page, you can bow out of the emergency access role.

Password Sharing

We normally advise against sharing your passwords promiscuously, but there are situations that merit sharing. You and your partner may share a bank account, for example. If you must share, you should do it safely.

Sharing passwords with other users is a common feature among password managers, though it's found more in commercial products than free ones. 1U Password Manager limits sharing to its mobile app. Enpass Password Manager 5 sends the credentials as an encrypted data block. Users of the free LogMeOnce can share just five passwords.

That makes LastPass the most flexible free password manager as far as sharing goes. Just select an item in the vault, click the sharing icon, and enter the recipient's email address. Recipients who already use LastPass will see a notification that a new share has arrived; others will get an email message explaining how to create an account and accept the share. The recipient can use the shared item to log in. As with LogMeOnce, you choose whether to make the password visible.

Other products take sharing even further. With Keeper, you control whether the recipient can edit the login or share it with others; you can even make the recipient the owner. Dashlane lets you make the recipient a co-owner.

Sharing Center

The Sharing Center within the online vault lets you easily manage your shared items. As with emergency access, you can relinquish access to credentials that others have shared with you, or cut off others with whom you've shared passwords.

There's also a tab for managing shared folders. However, if you try to make use of it you'll quickly learn that you must upgrade to LastPass Family to use shared folders. Note that shared folders used to be a feature of LastPass Premium, but not anymore.

Filling Web Forms

When you've got a product that can automatically fill in login credentials, it's just a short step to making it fill personal data into Web forms. However, not many free password managers include this feature. LastPass and LogMeOnce are among the few, along with Norton Identity Safe.

You can store multiple Addresses in LastPass, each with a variety of personal and contact information. As noted, LastPass now also supports storing numerous other types of personal data. RoboForm Everywhere lets you create multiple instances of any form-fill field, and Dashlane stores the various components of personal data (phone numbers, emails, and so on) separately.

To fill a form using LastPass, you need to find the little icon it adds to one of the fields. Click that icon, select a profile, and your form is filled. You can also right-click any field, click LastPass in the context menu, and select an item to autofill.

In testing, I found the right-click autofill option confusing. It didn't offer every type of saved data—for example, driver's license and passport information didn't appear, though address, bank card, and social security number did. In addition, many of the item types store duplicate data. For example, a driver's license entry includes full snail-mail address info, also found in the Address type. And several of the item types, among them Wi-Fi Password and Database, are just bursting with arcane fields whose usefulness is doubtful.

Multifactor Security

It doesn't matter how complex your master password is if a thief gets ahold of it. From anywhere in the world, the thief can log in as you. LastPass does require email verification the first time you log in from a new device, which is good. But you can seriously enhance your security by taking advantage of the available multifactor authentication options.

To set up multifactor authentication, you open the Account Settings dialog. LastPass now offers LastPass Authenticator, a free app for iOS or Android. The free edition also supports Google Authenticator and work-alikes such as Duo Mobile and Twilio Authy. Setting up an authenticator just requires snapping a QR code using your mobile device. Once authentication is configured, each time you log in you'll need a one-time code generated by the app as well as your master password.

Dashlane now has the equivalent of Google Authenticator built in. The free Myki Password Manager & Authenticator also serves as a Google Authenticator replacement. Myki stores all your passwords on an Android phone or iPhone; there's no potentially hackable cloud storage.

LastPass also offers authentication through the Toopher and Transakt apps. With these apps, as with LastPass Authenticator, you get a push notification that lets you accept or reject the attempt to log in to your password vault. No need to type a six-digit code. However, Toopher has been acquired by Salesforce, so the app isn't available.

Don't have a smartphone? You can print a wallet-sized authentication grid. For authentication, LastPass requests characters found at specific grid coordinates. Talk about low-tech!

Two-factor authentication can get tedious after a while, so LastPass lets you define specific devices as trusted. When you log in from a trusted device, all you need is the master password. Trust expires every 30 days, and you can manually delete a lost device from the trusted list. For even more control, you can ban logins from any device that's not already on the trusted list.

Security Challenge

Getting all your passwords safely stored with LastPass is a good first step, but it's not enough. Now you need to go through those passwords and fix the weak ones, and the ones you've recycled for use on multiple websites. That's where the Security Challenge comes in.

Click the security challenge icon, reenter your master password, and get ready to see how good (or bad) your passwords are. Do note that to get the full advantage of the security challenge, including automated password changing, you must launch it from Chrome.

As part of the analysis, LastPass sifts out the email addresses found among your passwords and offers to check them against known breaches. Naturally if you find that one of these addresses is associated with a breach, you should change all associated passwords immediately.

At the top of the resulting report you get an overall percentage score, your standing within the LastPass community, and a score for your master password. The overall score is mostly based on whether your passwords are strong and unique, but it includes other factors as well. For example, you lose 10 percentage points if you haven't enabled multifactor authentication.

Follow the prompts to fix four types of problems: compromised passwords, weak passwords, reused passwords, and old passwords. Note that LastPass measures age starting from the first time it encountered the password.

You can also scroll down for a full list of all your passwords, along with a password strength rating for each, the time you last changed it, and a button to help you update the password. For some common sites, LastPass displays an Auto-Change button; click it to have LastPass automatically update the password. You can also check off multiple items and update them all at once. If the site isn't among those LastPass can handle, a Launch Site button lets you go make the change manually. At present LastPass can auto-change about 80 sites, while Dashlane's similar feature supports over 500.

LastPass warns that you'll see web pages flashing by quickly as it makes the changes. I wouldn't call it quick. It took about 90 seconds to attempt changing my PayPal password, after which it reported that it couldn't manage the change. It did change my Facebook password without trouble.

Keeper doesn't attempt fully automated password changing, because doing so would compromise the company's zero-knowledge policy. However, when Keeper detects a typical password-change page, with one field for the old password and two for the new, it offers to update and save a new password with a single click.

LastPass for Android

LastPass does a great job of keeping the user experience the same across different platforms. The Android edition has all the Windows version's features, including password generator, emergency access, and security challenge. Admittedly, the information-rich security report is better viewed on a PC.

When you tap a site in the LastPass Android app, it opens in the internal browser, but you're free to use other browsers. If LastPass has a password for the site you're visiting in Chrome, it pops up an offer to fill your credentials automatically. It does this for InBrowser and Opera, too. Browsers aren't the only apps for which LastPass can fill passwords. It can log you in to most other apps as well.

There's a laundry list of other browsers for which LastPass can't automatically fill credentials, but pops up an offer to copy the password to the clipboard. These include Javelin, Javin, Boat, Yandex, HTC Sense, Dolphin, Silk, and Ghostery Private Browser. Firefox Mobile and Dolphin get support by way of browser extensions. I had no idea so many Android browsers existed!

You can configure LastPass to authenticate using your device's fingerprint sensor, if available. The Android edition also supports most of the other two-factor options. You can't use the premium-only USB-based Sesame utility, of course. And Yubikey authentication, also premium-only, requires a Yubikey model that supports authentication via NFC (Near Field Communication).

Really, though, the experience is extremely similar to using LastPass on other platforms. If you know how to use it on Windows, you know how to use it on Android.

LastPass for iPhone

Installed on an iPhone, LastPass gives you almost all the same features as on other platforms, but its user interface is quite different. Four icons across the bottom select Sites, Browser, Security, and Settings. Tapping to launch a site opens it in the internal browser. A browser extension lets LastPass fill credentials in Chrome or Safari. The Sites page also lets you access your secure notes and form filling data.

LastPass doesn't have quite the reach for filling application passwords as on Android. However, if you see a keyhole icon when logging into an app, you can tap it to fill credentials from LastPass. It's up to app developers to enable the iOS API that provides that keyhole.

The Security tab includes the password generator, emergency access, and the security challenge. As with Android, viewing the detailed security report on an iPhone isn't the best experience.

You can configure LastPass to log you in using TouchID, and the free edition's two-factor authentication options work. As with Android, the USB-based authentication tool is a no-go. In addition, while iPhones include NFC for such things as Apple Pay, Apple doesn't make it available to developers, so Yubikey authentication is out.

While the layout is rather different, the iPhone edition still gives you the same password management features as you get on other platforms.

Some Dated Features

LastPass offers to import from 31 competing products, but I had never heard of most of them. Of the more than 30 passwords managers I've reviewed, including free password managers, just 10 are on the import list. Four are defunct, including McAfee Safekey, superseded by True Key. There are 16 obscure products, many of them released by individuals rather than companies, several of them Linux-only, and some that haven't seen an update in many, many years. Finally, I couldn't visit the site for one of them because Norton blocked it as dangerous! The import list is wildly out of date.

As noted earlier, one of the product's two-factor offerings has the same problem. Because Salesforce acquired Toopher, the Toopher app is no longer available. To be fair, the addition of LastPass Authenticator more than makes up for Toopher's absence.

Some of the new item types, such as driver's license and passport data, are useful, though they'd be more useful if you could fill web forms with them. Others are puzzling and complex. If a curious user clicks the SSH Key type, LastPass asks for Bit Strength, Format, Passphrase, Private Key, Public Key, and more—scary! Wi-Fi Password sounds useful, but do you know your hotspot's Connection Type, Connection Mode, and FIPS Mode? The new types are nice, but some simplification may be in order.

In Account settings, you can define equivalent domains such as youtube.com, google.com, and gmail.com. A password for one is good for all. LastPass comes with dozens of these defined, but I doubt any user edits or adds to the list. The same is true of the list of URL rules, which let you define whether a given URL requires exact Host Matching and Port Matching. I'm not entirely sure what that even means. Once again, I doubt any user touches this feature. Hiding these features would help streamline the product.

Still a Winner

Despite the minor problems I mentioned, LastPass still packs more features than almost any other free password manager. Secure sharing, password inheritance, an actionable password strength report, and automated password changing are uncommon features in free products; LastPass has all four. Finally, you can use it on all your Windows, macOS, Android, and iOS devices. I still consider it a 4.5-star product, one that definitely merits an Editors' Choice award.

LogMeOnce Password Management Suite Premium, our other Editors' Choice for free password managers, currently has five stars. Like LastPass, it's packed with features. I'll be looking closely at its complexity when I next review it. Password managers need to work as smoothly as possible, or else users will go back to sticky notes.

Read More

About the Author

Neil Rubenking served as vice president and president of the San Francisco PC User Group for three years when the IBM PC was brand new. He was present at the formation of the Association of Shareware Professionals, and served on its board of directors. In 1986, PC Magazine brought Neil on board to handle the torrent of Turbo Pascal tips submitted b... See Full Bio

LastPass

LastPass

Get Our Best Stories!

This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.